EXCLUSIVE: Thousands vulnerable after SAPS website is hacked

Picture of www.saps.gov.za which was hacked on Friday 17 May 2013.
Photo: eNCA

Johannesburg - Hundreds of whistle blowers have had their private details exposed after the SAPS (South African Police Service) website was hacked.

On Friday, hackers used what is called a 'data dump' where all the information from the site was taken and placed on a publicly accessible website.

In so doing, the identities of nearly 16,000 South Africans, who lodged a complaint with police on their website, provided tip-offs or reported crimes, are now publicly available.

Details that are compromised include telephone numbers, email addresses and identity numbers of over 15,700 people who used the website from 2005 to this year.

Also included are the usernames and passwords of some 40 SAPS members.

Hackers used the social networking site Twitter to inform the public that they breached police security. This, they said was “for the 34 miners killed during clashes with police in Marikana on August 16 2012”.

On Monday when eNCA.com alerted the police to the security breach, spokesperson Phuti Setati said: “Our site is in order - we have not been hacked. There’s no such – our website is operating normal, we don’t have a problem with our website and they never experienced any problems."

However, eNCA.com was able to download the list posted online in less than five minutes and spoke to some of the people who had logged concerns on the SAPS website. After informing Setati of this, his response was: “The SAPS would like to reserve its comment on the matter at the moment."

Complaints range from rape cases opened in Durban to police brutality in Port Elizabeth. Also on the list are ordinary South Africans asking for help in cases involving vehicle theft and illegal shebeens. People have also complimented police on their work, including speedy responses to emergencies and help in cases.

For security reasons eNCA.com has omitted the names of those members of the public who spoke to us about the cases they reported using the SAPS website.

A Johannesburg woman said she used the SAPS website to lodge her complaint about police brutality while visiting Port Elizabeth. “The case was opened and nothing happened – I still have the case number and nothing has happened. I opened the case at the Motherwell Police Station and the person who is supposed to update me has not been available since that December 2011. Until now, nothing has happened."

Now she says she’s worried about safety following the hacking. “I think it is very bad especially because they never replied to the complaint that I posted. There's no security basically. What is the point of the site [if] nothing is done and hackers even have access to it. It is scary that we are not safe and our information is not safe and you expect that police should have a secure site. Our information is in the hands of people that we don’t know and what they will do with it and its risky. I am really scared.”

Another complainant said she was involved in an assault by police in Claremont, KwaZulu Natal: “I am shocked that people can access my details – because when I logged on I thought it was private and I was complaining against police and I thought only officials can access my information that is why I left my details."

Senior Researcher at the Institute for Security Studies Johan Burger said it was shocking that police were not aware that their website has been hacked.

“It is incredible that police systems are not well enough to protect them from this kind of hacking. Do they have measures in place to prevent this from happening again?” asked Burger.

He said the police should act soon. “One would expect them come out and make a statement saying they are aware of this and what they are doing to limit the damage both for police and those individuals that their details have been posted."

“There’s no one else to complain about crimes to. [The] SAPS is the only one you can complain to. They (the public) have no choice. The metro police compared to [the] SAPS have limited ability to deal with complaints,” said Burger.

Director at Wolf Pack Information Risk Craig Rosewarne said the security breach was known as 'hacktivism' - which is motivated by politics or the need for justice.

“What has happened now, is that information has been taken and pasted on bullet proof sites. These sites are hosted in [other] countries and cannot be taken down,” said Rosewarne.